Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

which layer should be use with "ip source guard" & "arp inspection"?

hi,everyone,I'm studing the static "ip source guard" & "arp inspection".I want to know which layer should be used into with "ip source guard" & "arp inspection"?access layer or distribution layer?

I found "ip source guard" is actually a ACL used upon a port,it binds "IP MAC VLANID PORTID..." together,so i think it will be used as close as the PC or Server,access layer is the best.Can this technic used in distribution layer?If it is used in distribution layer,more binding entry should be done,so what should I do?

the same situation about the "arp inspection",is every switches in the Lan uses this technic? If it is true,it's a lot of work to do for the Engineer!

Our Lan uses static IP address,so the DHCP is not used,I must use the "static" function to do.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: which layer should be use with "ip source guard" & "arp insp

Hello Hou,

>> but if a user assigns a static IP address manually,what should I do?

if you don't want to let the user do this, simply don't trust the user port and it will be denied access to the network.

(may be combined with IP source guard and DAI)

When the user calls complaining of network not working you will check if his/her PC is using DHCP or not.

It depends on your company  policy you can enforce this.

if you want to add a static entry for a server that is not using DHCP you can do the following:

or you trust the port where the server is connected

or you add a manual entry like

for DHCP snooping to build a static entry in the DHCP snooping table  you need actually the following:

ip dhcp snooping binding mac-address vlan vlan-id
ip-address interface interface-id expiry seconds

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/configuration/guide/swdhcp82.html#wp1180910

Hope to help

Giuseppe

3 REPLIES
Hall of Fame Super Silver

Re: which layer should be use with "ip source guard" & "arp insp

Hello Hou,

access layer only if there are no end users on distribution layer as it should be in a true hierarchical network

Other colleagues have reported high cpu usage by enabling DHCP snooping on core switches so the question is wise.

Hope to help

Giuseppe

New Member

Re: which layer should be use with "ip source guard" & "arp insp

Hi,guuslar

thanks for the answer.

you said that no end user should be in distrubition layer,so,it is to say : the "ip source guard" & "ip source guard" should be used in access layer?

I will do a experiment with DHCP snooping,and I had another question. I want to use DHCP service in my LAN,but if a user assigns a static IP address manually,what should I do?

Thanks.

Hall of Fame Super Silver

Re: which layer should be use with "ip source guard" & "arp insp

Hello Hou,

>> but if a user assigns a static IP address manually,what should I do?

if you don't want to let the user do this, simply don't trust the user port and it will be denied access to the network.

(may be combined with IP source guard and DAI)

When the user calls complaining of network not working you will check if his/her PC is using DHCP or not.

It depends on your company  policy you can enforce this.

if you want to add a static entry for a server that is not using DHCP you can do the following:

or you trust the port where the server is connected

or you add a manual entry like

for DHCP snooping to build a static entry in the DHCP snooping table  you need actually the following:

ip dhcp snooping binding mac-address vlan vlan-id
ip-address interface interface-id expiry seconds

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/configuration/guide/swdhcp82.html#wp1180910

Hope to help

Giuseppe

336
Views
0
Helpful
3
Replies
CreatePlease to create content